How we handle your data.

Last updated: 2026-05-20 · Governing law: Digital Personal Data Protection Act, 2023 (DPDPA), Information Technology Act, 2000 and the rules made thereunder.

1. Who we are

Vetted is operated by LawCrust Global Consulting Ltd. ("we", "us", "our"), an Indian company. For the purposes of the DPDPA, we are the Data Fiduciary for personal data you provide to us in connection with the Vetted service.

2. What personal data we collect

We collect only what we need to provide the service:

Account data: email address, name, organisation name, and password hash (we never store passwords in plain text).
Intake data: the company / organisation details you enter when generating a policy - registered office state, employee headcount, Internal Committee composition, branding preferences. This data is stored against your account and used only to generate documents you request.
Payment metadata: for paid plans and per-doc unlocks, we receive transaction identifiers, status and amount from our payment processors (Razorpay and Cashfree). We do not store full card numbers, CVVs or banking credentials - those remain with the payment processor.
Usage data: generation history, document metadata (title, policy type, generation timestamp), and feature usage telemetry used to improve the product.
Support communications: emails and ticket content you send to our support team.
Audit-tool inputs: when you use the upload-and-improve audit at /audit, the text of your existing policy lives in server memory for the duration of one audit call only, is sent to our drafting / verification model, and is then discarded. We do not persist the source policy text.

We do not knowingly collect children's data. The service is built for use by employed adults of legal age in India.

3. Lawful basis for processing

We process personal data on the following bases under Section 4 of the DPDPA: (a) consent— you give us specific, informed consent at sign-up and at each generation; (b) legitimate use— performance of the contract to deliver the service you purchased; (c) compliance with law— statutory record-keeping (e.g. GST invoicing, tax records) and response to lawful orders.

4. Who we share data with

We share data only with the following categories of recipients, each under a written processor agreement:

AI model providers: intake fields and policy text are sent to large-language-model providers to generate and verify your document. Model providers act as processors; they are contractually prohibited from training on your data or using it for any purpose other than serving your request.
Cloud infrastructure: Supabase (Postgres database + storage) and Vercel (web hosting) under their respective data-processing agreements. Data is stored in regions chosen for low latency to Indian users.
Payment processors: Razorpay Software Private Limited and Cashfree Payments India Private Limited. Payment card data flows directly from your browser to the processor; we receive only the order metadata.
Email delivery: a third-party transactional email provider sends magic-link sign-in, password reset and receipt emails.
Government or law-enforcement authorities where required under a valid lawful order.

We do not sell personal data to anyone.

5. How long we keep your data

Account & generated documents: retained while your account is active. On account deletion the documents and personal data are deleted within 30 days, subject to the statutory retention requirements below.
Audit-tool inputs:not retained — the source policy text is discarded immediately after the audit completes.
Tax / invoice records: retained for eight (8) years from the end of the relevant financial year, as required under the GST Act and Income-Tax Act.
Server logs: retained for ninety (90) days for security and abuse-prevention purposes, then aggregated or deleted.

6. Your rights as a Data Principal

Subject to Section 11 of the DPDPA you may at any time: (a) request a summary of the personal data we process about you; (b) request correction or erasure of inaccurate or outdated personal data; (c) withdraw a previously-granted consent; (d) nominate another individual to exercise these rights on your death or incapacity; (e) raise a grievance with our Grievance Officer (see Section 8 below); (f) escalate an unresolved grievance to the Data Protection Board of India once it is constituted under the DPDPA.

To exercise any right above please email privacy@legalprotect360.com from the email address registered with your account. We acknowledge requests within 24 hours and resolve them within 15 days. There is no charge for the first request in any calendar year.

7. Security

We use industry-standard technical and organisational safeguards: TLS 1.2+ for all data in transit, encryption at rest for the database, role-based access control on administrative interfaces, and quarterly review of access. We notify affected users without undue delay (and in any case within seventy-two (72) hours of becoming aware) in the event of a personal-data breach that is likely to cause significant harm, as required under Section 8 of the DPDPA.

8. Grievance Officer

In accordance with Section 8 of the DPDPA and Rule 3(11) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, our Grievance Officer can be reached at privacy@legalprotect360.com. Postal address is the registered office set out on the Contact page.

9. Cookies and similar technologies

We use first-party cookies strictly necessary to keep you signed in, remember your form progress, and prevent abuse. We do not use third-party advertising or behavioural-targeting cookies. You may block cookies in your browser; the service will not function correctly without the session cookie.

10. Changes to this policy

We update this Privacy Policy from time to time to reflect changes in law or in our practices. The “Last updated” date at the top of this page indicates when the most recent change took effect. Material changes will be notified to registered users by email at least seven (7) days before they take effect.